Hackers Hide Cyberattacks in Social Media Posts

Jay Kaplan, left, and Mark Kuhr, the founders of Synack, a cybersecurity company. “The problem is pervasive,” Mr. Kaplan said.CreditCreditJim Wilson/The New York Times

By Sheera Frenkel

May 28, 2017

SAN FRANCISCO — It took only one attempt for Russian hackers to make their way into the computer of a Pentagon official. But the attack didn’t come through an email or a file buried within a seemingly innocuous document.

A link, attached to a Twitter post put out by a robot account, promised a family-friendly vacation package for the summer. It was the kind of thing anyone might click on, according to the official hit by the attack, who was not authorized to speak publicly about it.

That is exactly the problem, Pentagon officials and cybersecurity experts said. While corporations and government agencies around the world are training their staff to think twice before opening anything sent by email, hackers have already moved on to a new kind of attack, targeting social media accounts, where people are more likely to be trusting.

Pentagon officials are increasingly worried that state-backed hackers are using social media sites such as Twitter and Facebook to break into Defense Department computer networks. And the human error that causes people to click on a link sent to them in an email is exponentially greater on social media sites, the officials said, because people are more likely consider themselves among friends.

Once one person is compromised, attacks can move quickly through that person’s friend network, leading to what the officials described as a nightmare situation in which entire departments at the Pentagon could be targeted. And while officials know about the problem, training about how to spot an attack that comes through Twitter and Facebook remains limited.

Another official, who spoke to The New York Times on the condition of anonymity because he was not authorized to speak to reporters, described the problem as teaching an entire department to be wary of anything that was sent to it — even if the message appeared to come from family or a friend.

While last year’s hacking of senior Democratic Party officials raised awareness of the damage caused if just a handful of employees click on the wrong emails, few people realize that a message on Twitter or Facebook could give an attacker similar access to their system and that accounts can be spoofed or imitated so it appears that attackers are a trusted friend.

“Spear phishing,” or the act of sending a malicious file or link through a seemingly innocuous message, is hardly new. In November 2015, the State Department revealed that its employees had been spear phished through social media accounts.

But Pentagon officials say the scale of the spear phishing attacks is unlike anything they had ever seen before. A report in Time magazine this month revealed that a Russian-led cyberattack tried to spear phish 10,000 Twitter accounts belonging to Defense Department employees, using personal messages targeted at specific users.

The Defense Department did not respond to a request for comment. In response to a Times reporter, Twitter sent a copy of the company’s anti-spam rules, which said any account that violated its rules would be suspended. A spokesman for Facebook said the company was aware of the problem and was monitoring spear phishing on the platform.

In a recent white paper published by Facebook, the company outlined the common hacking it was seeing. The company said it was using specialized notifications, detection systems and user education to counteract spear fishing.

Cybersecurity companies said spear phishing through social media was one of the fastest-growing methods of attack.

“It’s something that you don’t hear as much about, but the problem is pervasive,” said Jay Kaplan, a former Defense Department cybersecurity expert and senior cyberanalyst at the National Security Agency who is now the chief executive of the cybersecurity company Synack. “Social media gives a number of indicators to an attacker, on a state-sponsored level, that you couldn’t get through email.”

Outside of simply using a spear phishing email to gain access to a network, attackers could use an account to gather intelligence. By watching a group of soldiers posting online, attackers could watch location changes to discern troop movements or engage directly in conversations to try to ferret out military decisions.

“Most people don’t think twice when they are posting on social media. They don’t think about people using the information against them maliciously,” Mr. Kaplan said. “They also don’t assume people on their network might be attackers.”

According to a 2016 report by Verizon, roughly 30 percent of spear phishing emails are opened by their targets. But research published by the cybersecurity firm ZeroFOX showed that 66 percent of spear phishing messages sent through social media sites were opened by their intended victims.

In the Defense Department attack, for example, 7,000 employees took the first step toward being compromised by clicking on a link, said Evan Blair, a co-founder of ZeroFOX. “The attacks are so much more successful because they use your personal timeline and the content you engaged with to target the message to you,” Mr. Blair said.

Simply by looking at public posts, attackers can easily see if an account has mentioned a certain band or sports team often, then tailor a message pointing to tickets going on sale for an event. On Facebook, an attacker can see which groups have been joined, or which public pages have been liked.

In an experiment last year, ZeroFOX created an automated program that taught itself to send spear phishing links to Twitter users. Over two hours, the program sent link to 819 people, at a rate of roughly 6.75 messages per minute. Two hundred seventy five users opened the links.

Mr. Blair said that in the case of the Defense Department, the links had carried the malware. Once people clicked on the link, they were infecting their computer networks. In many cases, the attackers targeted members of Defense Department employees’ families, who were less likely to be suspicious.

The Defense Department employee who told The Times that he had been part of the recent breach said he had been targeted through his wife’s Twitter account. She was the one to click on a link to a vacation package, after exchanging messages with friends over what they should do with their children over the summer.

Once the hackers got into her computer, the official said, they got to his computer through a shared home network.

A version of this article appears in print on , on Page B1 of the New York edition with the headline: Hackers Use Social Media As Way to Get Past Defenses. Order Reprints | Today’s Paper | Subscribe